EAP-GTC configuration
Hello, We are configuring EAP-GTC in our FreeRADIUS environment (please note that SAS is our authentication server): [cid:image003.png@01CFA747.9F2173C0] [cid:image004.png@01CFA747.9F2173C0] [cid:image006.png@01CFA747.9F2173C0] [cid:image008.png@01CFA747.9F2173C0] [cid:image010.png@01CFA747.9F2173C0] [cid:image012.png@01CFA747.9F2173C0] [cid:image010.png@01CFA747.9F2173C0] [cid:image014.png@01CFA747.9F2173C0] [cid:image016.png@01CFA747.9F2173C0] [cid:image019.png@01CFA747.9F2173C0] [cid:image021.png@01CFA747.9F2173C0] [cid:image023.png@01CFA747.9F2173C0] [cid:image025.png@01CFA747.9F2173C0] [cid:image027.png@01CFA747.9F2173C0] [cid:image029.png@01CFA747.9F2173C0] Our questions are: 1) Do you happen to know how do we obtain the plain password provided in the first Access Response message? Currently we attempt to access the active directory by running an external execution program. This means we need to get the password attribute via freeRadius attributes/environment. If we fail to find a way to get the password information from freeRadius environment then we would consider changing our design by writing a freeRadius code module. 2) The PEAP (which is actually a freeRadius instance) is currently configured is to work to proxy all access requests. This is done by setting the "users" configuration file redirect every incoming access request (DEFAULT FreeRADIUS-Proxied-to == 127.0.0.1, Proxy-to-Realm := DEFAULT). Do you know if there is way to apply redirection upon demand (in our case we would like to handle the first access request locally by verifying the username and password against the AD and redirect only the second access request, containing the user's OTP). 3) The OTP in the second access request is provided as a plain text (over ssl). Is there any way we proxy it to freeRadius agent in a secure way (e.g. MSCHAP2)? 4) Do you have any good references for freeRadius configuration docs? Regards, Yariv Levavi SafeNet's Integration Team The information contained in this electronic mail transmission may be privileged and confidential, and therefore, protected from disclosure. If you have received this communication in error, please notify us immediately by replying to this message and deleting it from your computer without copying or disclosing it.
Levavi, Yariv wrote:
We are configuring EAP-GTC in our FreeRADIUS environment (please note that SAS is our authentication server):
There's no need to post huge diagrams to the list. We're already aware of how EAP works.
1) Do you happen to know how do we obtain the plain password provided in the first Access Response message?
There is no plain-text password in the first message. Perhaps you could look at the debug output to see what's going on.
2) The PEAP (which is actually a freeRadius instance) is currently configured is to work to proxy all access requests. This is done by setting the “users” configuration file redirect every incoming access request (DEFAULT FreeRADIUS-Proxied-to == 127.0.0.1, Proxy-to-Realm := DEFAULT). Do you know if there is way to apply redirection upon demand (in our case we would like to handle the first access request locally by verifying the username and password against the AD and redirect only the second access request, containing the user’s OTP).
Yes. Write "unlang" statements to check for a condition, and then forward only if the condition is met. If you want a more specific answer, you'll have to ask a more specific question.
3) The OTP in the second access request is provided as a plain text (over ssl). Is there any way we proxy it to freeRadius agent in a secure way (e.g. MSCHAP2)?
No. Proxying EAP-GTC is a bad idea. Don't do it.
4) Do you have any good references for freeRadius configuration docs?
FreeRADIUS comes with a lot of documentation. Do you have a specific question? There's also a start at full documentation here: http://networkradius.com/doc/ Alan DeKok.
participants (2)
-
Alan DeKok -
Levavi, Yariv